A newly disclosed flaw in Palo Alto PAN-OS firewall software is giving security teams a reason to double-check their patching schedules. Tracked as CVE-2025-4619, the vulnerability allows unauthenticated attackers to remotely reboot firewalls by sending a specially crafted packet, no credentials, no user interaction, just a single malicious packet sent over the network.
CVE-2025-4619 is a denial-of-service (DoS) vulnerability found in the PAN-OS software’s dataplane. It is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions). If the firewall receives a malformed packet, it may unexpectedly reboot. If attackers continue to exploit this flaw, the firewall may enter maintenance mode, disabling it until it is restored manually.
Only earlier builds in each version line are affected. These include several sub-versions, such as:
PAN-OS 11.2: Builds prior to 11.2.2-h2, 11.2.3-h6, 11.2.4-h4, and all 11.2.x releases before 11.2.5
PAN-OS 11.1: Builds prior to 11.1.2-h9, 11.1.2-h18, 11.1.3-h2, 11.1.4-h4, 11.1.4-h13, 11.1.6-h1, and all versions before 11.1.7
PAN-OS 10.2: Builds prior to the fixed hotfixes for 10.2.4, 10.2.7, 10.2.8, 10.2.9, 10.2.10, 10.2.11, 10.2.12, 10.2.13, and all versions before 10.2.14
PAN-OS 10.1: Not affected.
Prisma Access: Impacted when running PAN-OS versions that have not reached the corresponding fixed hotfix levels, such as builds earlier than 10.2.4-h25, 10.2.10-h14, or 11.2.4-h4, depending on the version line.
PAN-OS 12.1 and Cloud NGFW deployments are not affected. The vulnerability impacts only firewalls with a URL proxy enabled or any decryption policy configured. Once a decryption policy is present, the issue may occur regardless of whether traffic matches a decrypt rule, a no-decrypt rule, or does not match any decryption policy. No known workarounds currently exist. Administrators are strongly advised to prioritize patching due to the ease of exploitation and potential operational impact. As of the publication date, Palo Alto Networks has not identified any active malicious exploitation of this vulnerability.
Palo Alto Networks has assigned CVE-2025-4619 a CVSS v4.0 score of 6.6, categorizing it as MEDIUM severity with MODERATE urgency. The CVSS-B score is 8.7, indicating significant potential business impact.
Organizations using Palo Alto firewalls should immediately review their PAN-OS versions and apply the necessary patches. The vulnerability’s ease of exploitation and potential to force firewalls into maintenance mode underscore the importance of timely patch management. While there is no evidence of active exploitation at this time, the risk of disruption to network operations is real and warrants prompt action. Finally, even a simple packet can cause big trouble when it finds the right flaw. And while few defenders relish sudden maintenance windows, knowing where (and how) to prepare remains half the battle.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
